On February 1, the Federal Trade Commission (“FTC”) issued the staff report Mobile Privacy Disclosures: Building Trust Through Transparency (the “Report”), which provides a series of consumer privacy-focused recommendations for key stakeholders in the mobile app ecosystem, including developers, platform providers, third-party advertising networks, and others. The Report responds to the explosive growth in smartphone use by consumers within the past few years and focuses on best practices to ensure that consumers receive timely and easy-to-understand information about the personal data that apps collect and how that data is used or shared with third parties.
The report recommendations represent a culmination of efforts initiated by the Commission, as well as other federal and state regulators, during the past several years. Specifically, the report recommendations are based on the FTC’s final privacy framework released in March 2012; a May 2012 FTC workshop that assessed the need for updated online industry guidance regarding disclosures and privacy practices; and two reports released in 2012 that detailed the results of surveys by FTC staff that examined the privacy disclosures and practices associated with 400 mobile apps targeted to children. The report also draws from recent mobile app industry guidance from the California Attorney General, and initial recommendations from the ongoing privacy multi-stakeholder process convened by the National Telecommunications & Information Administration (“NTIA”).
In addition to releasing the staff report, the Commission announced two other items that reflect the Commission’s current focus on mobile app privacy. As described below, the FTC introduced a new business guide that complements the privacy disclosure report with a set of data security best practices tailored to mobile app developers. The FTC also announced a settlement with a prominent social networking app developer over charges that it deceived users about its data collection practices and violated the Children’s Online Privacy Protection Act (“COPPA”) Rule by collecting personal information from children without their parents’ consent.
A summary of the Report’s key recommendations for each stakeholder in the mobile app ecosystem includes the following:
Recommendations for Online Platforms and OS Providers
Recommendations for Mobile App Developers
Recommendations for Advertising Networks, Analytics Companies, and Other Third Parties
Recommendations for App Developer Trade Associations, Academics, Researchers and Others
In conjunction with the release of its mobile app disclosure report, the Commission issued the guide for businesses, Mobile App Developers: Start with Security, which outlines practical tips for developers to ensure that the data collected by mobile apps remains secure and protected. The guide serves as a data security complement to the Commission’s August 2012 mobile marketing guide, Marketing Your Mobile App: Get It Right from the Start, which contains suggestions for developers with respect to truthful advertising and the FTC’s final privacy framework.
The FTC’s latest business guide recommends that developers implement “reasonable data security practices” that reflect each mobile app’s target user, its unique configuration, and its app-specific data collection practices. Specifically, the key recommendations within the guide include the following:
As evidence that the FTC’s efforts to protect consumer privacy will continue to involve a combination of industry guidance and active enforcement, the Commission also announced a settlement with the social networking app developer Path, Inc. over charges that it deceived its users by collecting personal information from their mobile device address books without their knowledge and consent. According to the FTC’s Complaint, Path automatically, and without users’ consent, collected and stored available names, addresses, phone numbers, email addresses, dates of birth, and Facebook and Twitter usernames contained in a user’s address book. The FTC also claimed that Path violated the COPPA Rule by collecting data from approximately 3,000 children under the age of 13 without providing notice or obtaining consent from their parents.
In resolving the FTC’s allegations, the settlement requires Path to establish a comprehensive privacy program that includes biennial independent privacy audits for the next 20 years. Path will also pay $800,000 in civil penalties to settle the charges that it violated COPPA. Notably, the settlement with Path comes a little more than a month after FTC Staff revealed that they launched multiple non-public investigations to determine whether certain entities in the mobile app ecosystem are violating the COPPA Rule or engaging in unfair or deceptive practices in violation of Section 5 of the FTC Act.
The release of the FTC staff’s mobile app disclosure report and data security guidance, and the announcement of the enforcement action against Path, coincided with the announcement that FTC Chairman Jon Leibowitz, the FTC’s long-standing advocate for consumer privacy protections, will resign his position at the Commission later this month. Despite Chairman Leibowitz’s departure, these latest developments provide a clear indication that consumer privacy education and enforcement will remain a priority at the Commission for the foreseeable future.
As a result, all stakeholders in the mobile app ecosystem would be wise to heed the Commission’s recommendations and carefully evaluate their existing privacy practices and disclosures and apply the FTC’s best practices, as appropriate. While styled as “best practices,” considering and implementing such proactive efforts are highly likely to identify and mitigate the possibility of inadvertently engaging in business practices that the FTC (and other regulators and litigants) view as illegal trade practices, which pose exposure to investigations, monetary payments, and long-term restrictions on business practices going forward – none of which is good for business.
Dana B. Rosenfeld is a Partner and Chair of the Privacy and Information Security Practice. John Heitmann is a Partner in Kelley Drye & Warren LLP's Washington, DC office and is Co-Chair of the firm's Telecommunications practice group. Alysa Zeltzer Hutnik is a Partner. She represents clients in all forms of consumer protection matters. Matthew P. Sullivan is an Associate who focuses his practice in the areas of advertising, privacy and information security, consumer protection, and food and drug law. Associate Jameson J. Dempsey focuses his practice in the areas of telecommunications, information technology, and data privacy and security matters.